The DomainTools Report: Spring 2017 Edition
For the past few years, DomainTools has conducted research to unearth important patterns of malicious domains. Past research focused on comparing things like neutral and malicious domains based on domain age, relative badness based on the entropy of domains, and analysis of domain registrars and “hot spots” of malicious domains. In the most recent DomainTools supplement, published in the spring of 2017, we looked at TLDs (top level domains), privacy providers, free email providers, and IP geography to identify trends in nefarious activity.
We analyzed a corpus of active domains across the Internet—that is, out of the approximately 315 million domain names that are currently registered to identify patterns and help us pinpoint nefarious activity at a large scale. In ways that are similar to methodologies used by security analysts and threat hunters at smaller scales to expose threat actor infrastructure.
This white paper highlights concentrations of badness in:
- Top level domains
- Whois privacy services
- Free email providers represented in registrant email fields
- IP geographies